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We present a type system for an extension of lambda calculus with a conditional construction, 
named STAb, that characterizes the PSPACE class. This system is obtained by extending STA, 
a type assignment for lambda-calculus inspired by Lafont's Soft Linear Logic and characterizing 
the PTIME class. We extend STA by means of a ground type and terms for booleans and 
conditional. The key issue in the design of the type system is to manage the contexts in the rule 
for conditional in an additive way. Thanks to this rule, we are able to program polynomial time 
Alternating Turing Machines. From the well-known result APTIME = PSPACE, it follows that 
STAb is complete for PSPACE. 

Conversely, inspired by the simulation of Alternating Turing machines by means of Deterministic 
Turing machine, we introduce a call-by-name evaluation machine with two memory devices in order 
to evaluate programs in polynomial space. As far as we know, this is the first characterization of 
PSPACE that is based on lambda calculus and light logics. 

Categories and Subject Descriptors: F.3.3 [Logics and meanings of programs]: Studies of pro- 
gram constructs — type structure; F.4.1 [Mathematical logic and formal languages]: Mathe- 
matical logic — lambda calculus and related systems, proof theory 

General Terms: Languages, Theory, Design 

Additional Key Words and Phrases: Implicit Computational Complexity, Polynomial Space, Lin- 
ear Logic, Type Assignment, Operational Semantics 



1. INTRODUCTION 

The argument of this paper fits in the so called Implicit Computational Complex- 
ity area, whose aim is to provide complexity control through language restrictions, 
without using explicit machine models or external measures. In this setting, we are 
interested in the design of programming languages with bounded computational 
complexity. We want to use a IVIL-like approach, so having a A-calculus like lan- 
guage, and a type assignment system for it, where the types guarantee, besides the 
functional correctness, also complexity properties. So, types can be used in a static 
way in order to check the correct behaviour of the programs, also with respect to the 
resource usage. According to these lines, we design in this paper a language correct 
and complete with respect to PSPACE. Namely, we supply, besides the calculus, a 
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type assignment system and an evaluation machine, and we prove that weU typed 
programs can be evaluated by the machine in polynomial space, and moreover that 
all decision functions computable in polynomial space can be coded by well typed 
programs. 

Light Logics and type systems Languages characterizing complexity classes 

through type assignment systems for A-calculus are already present in the literature, 
but they are quite all related to time complexity. The key idea is to use as types 
the formulae of the light logics, which characterize some classes of time complexity: 
Light Linear Logic (LLL) of Girard [Girard 1998], and Soft Linear Logic (SLL) of 
Lafont [Lafont 2004] characterize polynomial time, while Elementary Linear Logic 
(EAL) characterizes elementary time. The characterization is based on the fact that 
cut-elimination on proofs in these logics is performed in a number of steps which 
depends in a polynomial or elementary way from the initial size of the proof (while 
the degree of the proof, i.e., the nesting of exponential rules, is fixed). Moreover, 
the size of each proof in the cut elimination process can be bound by a polynomial 
or an elementary function in the initial size of the proof, respectively. In addition, 
all these logics are also complete with respect to the related complexity class, using 
proof-nets for coding functions. 

The good properties of such logics have been fruitfully used in order to design type 
assignment systems for A-calculus which are correct and complete with respect to 

the polynomial or elementary time complexity bound. Namely, every well typed 
term /3-reduces to normal form in a number of steps that depends in a polynomial 
or elementary way from its size, and moreover all functions with the corresponding 
complexity are representablc by a well typed term. Examples of polynomial type 
assignment systems arc in [Baillot and Terui 2004; 2009] and [Gaboardi and Ronchi 
Delia Rocca 2007; 2009], based respectively on LAL (an affinc variant of LLL 
designed by Aspcrti and Roversi [Asperti and Rovcrsi 2002]) and on SLL. Moreover, 
an example of an elementary type assignment system is in [Coppola et al. 2005; 
2008]. 

Contribution In order to use a similar approach for measuring space complexity, 
since there is no previous logical characterization of PSPACE from which we can 
start, we exploit the fact that polynomial space computations coincide with poly- 
nomial time alternating Turing machine computations (APTIME). In particular, 
by the results in [Savitch 1970] and [Chandra et al. 1981], it follows 

PSPACE = NPSPACE = APTIME 

So, we start from the type assignment system STA for A-calculus introduced in 
[Gaboardi and Ronchi Delia Rocca 2007]. It is based on SLL, in the sense that 
in STA both types are a proper subset of SLL formulae, and type assignment 
derivations correspond, through the Curry-Howard isomorphism, to a proper subset 
of SLL derivations. STA is correct and complete (in the sense said before) with 
respect to polynomial time computations. 

Then we design the language A^, which is an extension of A-calculus with two 
boolean constants and a conditional constructor, and we supply it by a type as- 
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signment system (STAb), where the types are STA types plus a constant type 
B for booleans, and rules for conditional. In particular, the elimination rule for 
conditional is the following: 

rhM:B ThNp:^ ThNirA 
r h if M then Nq else Ni : A ^ ^ 

In this rule, contexts are managed in an additive way, that is with free contractions. 
Prom a computational point of view, this intuitively means that a computation 
can repeatedly fork into subcomputations and the result is obtain by a backward 
computation from all subcomputation results. 

While the time complexity result for STA is not related to a particular evaluation 
strategy, here, for characterizing space complexity, the evaluation should be done 
carefully. Indeed, an uncontrolled evaluation can construct exponential size terms. 
So we define a call-by-name SOS evaluation machine, Kg, inspired by Krivine's 
machine [Krivine 2007] for A-calculus, where substitutions arc made only on head 
variables. This machine is equipped with two memory dc; vices, and the space used 
by it is proved to be the dimension of its maximal configuration. The proof is made 
through the design of an equivalent small-step machine. Then we prove that, if Kg 
takes a program (i.e., a closed term well typed with a constant type) as input, then 
the size of each configuration is polynomially bounded in the size of the input. So 
every program is evaluated by the machine in polynomial space. Conversely, we 
encode every polynomial time alternating Turing machine by a program well typed 
in STAb. The simulation relies on a higher order representation of a parameter 
substitution recurrence schema inspired by the one in [Leivant and Marion 1994]. 



Related works The present work extends the preliminary results that have 
been presented to POPL '08 [Gaboardi et al. 2008a]. The system STAb is the first 
characterization of PSPACE through a type assignment system in the light logics 
setting. A proposal for a similar characterization has been made by Terui [Terui 
2000], but the work has never been completed. 

The characterization presented here is strongly based on the additive rule (BE) 
presented above. The key role played by this rule in the characterization of the 
PSPACE class has been independently suggested by Hofmann in the context of 
non-size- increasing computations [Hofmann 2003]. There, the author showed that 
by adding to his LFPL language a form of restricted duplication one can encode 
the "quantified boolean formulas problem" and recover exactly the behaviour of 
the rule (BE'). Besides the difference in the setting where our study is developed 
with respect to the Hofmann one, our work improves on this in the fact that we 
give a concrete syntactical proof of PSPACE soundness for programs by means 
of an evaluation machine while Hofmann PSPACE soundness relies on a semantic 
argument that hides the technical difficulties that one needs to deal with in the 
evaluation of programs. Moreover, we here give a PSPACE completeness result 
based on the definability of all polynomial time Alternating Turing Machines. 

In our characterization we make use of boolean constants in order to have a fine 
control of the space needed to evaluate programs. A use of constants similar in 
spirit to the present one has been also employed by the second author in [Leivant 
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and Marion 1993], in order to give a characterization of the PTIME class. 

There are several other implicit characterizations of polynomial space computa- 
tions using principles that differ from the ones explored in this paper. The char- 
acterizations in [Leivant and Marion 1994; 1997] and [Oitavem 2001; 2008] are 
based on ramified recursions over binary words. In finite model theory, PSPACE 
is captured by first order queries with a partial fixed point operator [Vardi 1982; 
Abiteboul and Vianu 1989]. The reader may consult the recent book [Gadel et al. 
2007] . Finally there are some algebraic characterizations like the one [Goerdt 1992] 
or [Jones 2001] but which arc, in essence, over finite domains. 

Apart from the class PSPACE, the light logic principles have been used to char- 
acterize other interesting complexity classes. In [Maurel 2003] and [Gaboardi et al. 
2008b] an explicit sum rule to deal with non deterministic computation has been 
studied in the setting of Light Linear Logic and Soft Linear Logic, respectively. 
Both these works give implicit characterizations of the class NPTIME. Another 
important work in this direction is the one in [Schopp 2007] where a logical system 
characterizing logarithmic space computations is defined, the Stratified Bounded 
AfRne Logic (SBAL). Interestingly, the logarithmic space soundness for SBAL is 
proved in an interactive way by means of a geometry of interaction algorithm 
considering only proofs of certain sequents to represent the functions computable 
in logarithmic space. This idea was already present in the previous work [Schopp 
2006] of the same author and it has been further explored in the recent work 
[Dal Lago and Schopp 2010]. 

Outline of the paper In Section 2 the system STAb is introduced and the proofs 

of subject reduction and strong normalization properties arc given. In Section 3 the 
operational semantics of STAb program is defined, through two equivalent abstract 
evaluation machines. In Section 4 we show that STAb programs can be executed 
in polynomial space. In Section 5 the completeness for PSPACE is proved. Section 
6 contains some conclusions. 

2. SOFT TYPE ASSIGNMENT SYSTEM WITH BOOLEANS 

In this section we present the paradigmatic language A^ and a type assignment 
for it, STAb, and we will prove that STAb enjoys the properties of subject reduc- 
tion and strong normalization. Ag is an extension of the A-calculus with boolean 
constants 0, 1 and an if constructor. STAb is an extension of the type system 
STA for A-calculus introduced in [Gaboardi and Ronchi Delia Rocca 2007], which 
assigns to A-terms a proper subset of formulae of Lafont's Soft Linear Logic [Lafont 
2004], and it is correct and complete for polynomial time computations. 

Definition 1 (Ag). 

(1) The set Ag of terms is defined by the following grammar: 

M ::= X I I 1 I Ax.M | MM | if M then M else M 

where x ranges over a countable set of variables and B = {0, 1} is the set of 
booleans. 
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(2) The reduction relation -^psQ x Ag is the contextual closure of the following 
rules: 

(Ax.M)N -^is M[N/x] 

if then M else N M 

if 1 then M else N -J>5 N 
— s-^_5 denotes the transitive closure of^^s o,nd — denotes the reflexive closure 

(3) The size of a term M is denoted as \K\ and is defined inductively as 

|x| = |0| = |1| = 1 |Ax.M| = |M|+1 |MN| = |M| + |N| 

I if M then No else Ni | = |M| + |No| + |Ni| + 1 

Note that wc use the term to denote "true" and the term 1 to denote "false" . 

Notation 1. Terms are denoted by M, N,V, P. In order to avoid unnecessary 
parenthesis, we use the Barendregt convention, so abstraction associates on the 
left and applications associates on the right. Moreover Axy.M stands for Ax.Ay.M. 
As usual terms are considered up to a- equivalence, namely a bound variable can 
be renamed provided no free variable is captured. Moreover, M[N/x] denotes the 
capture-free substitution of all free occurrences of x in K by N, FV(M) denotes the 
set of free variables ofK and noix^K) denotes the number of free occurrences of the 
variable x m M. 

In the sequel we will be interested only in typable terms. 
Definition 2 (STAb). 

(1) The set 7b of types is defined as follows: 

A ::= B I a I 0- —o A I Va.A (Linear Types) 
a::=A \\a 

where a ranges over a countable set of type variables and B is the only ground 
type. 

(2) A context is a set of assumptions of the shape x : a, where all variables are 
different. We use T, A to denote contexts. 

(5) The system STAb proves judgments of the shape F h M : cr where T is a context, 
K is a term, and a is a type. The rules are given in Table I. 

Notation 2. Type variables are denoted by a, (3, linear types by A,B,C, and 
types by a,T,ii. The symbol = denotes the syntactical equality both for types and 
terms (modulo renaming of bound variables). As usual associates to the right and 
has precedence on^i, while ! has precedence on everything else. The notation (j[A/a\ 
stands for the usual capture free substitution in a of all occurrences of the type 
variable a by the linear type A. We use dom(r) and FTV(r) to denote respectively 
the sets of variables and of free type variables that occur in the assumptions of 
the context T. The notation r#A stands for dom(r) n dom(A) = 0. Derivations 
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(Linear Types) A,B := B | a | ^ A | Va.A (Types) a,T := A \ \a 



■.-.Ahx-.A^ ' l-0:B^ ' l-l:B^ ' r,x:AI-M:o- 
r,x:CTl-M:A , ri-M:(T^A AhNrcr r#A , 



r h Ax.M -.a^A^ ' r,AI-MN:A 

r,xi:a,...,x„:ahH:r rhH:a ^ h H : V«.i? 

r,x ;!cr h M[x/xi,- ■ ■ ,x/x„] : T ^ ' IF h M :!o- ^ T h M ; B[A/a] ^ ' 

rhM:B rhMpiA rhNi:A rhM:A g FTV(r) 

r h if M then No else Ni : A ^ ' T h M : Va.A ^ 



Table I. The Soft Type Assignment system with Booleans 

are denoted fej/II, n[>ri-M:(7 denotes a derivation 11 wii/i conclusion 

r h M : (7. VFe Zef h M : cr abbreviate h M : cr. As usual, Ma. A is an abbreviation 
for\/a\...Mam-A, and !"(7 is an abbreviation for \...\a n-times (m,n > 0). 

We stress that each type is of the shape !"V(5.A. The type assignment system 
STAb is obtained form STA just by adding the rules for deahng with the if 
constructor. Note that the rule (BE) has an additive treatment of the contexts, 
and so contraction is free, while all other rules are multiplicative. Moreover STAb 
is afHne, since the weakening is free, so it enjoys the following properties. 

Lemma 1 Free variable lemma. 

{1) r I- M : (7 implies FV(M) C dom(r). 

{2) T\-n:a,ACT and FV(M) C dom(A) imply A h M : ct. 

(5) Fh M : fT, r C A implies A h M : ct. 

Proof. All the three points can be easily proved by induction on the derivation 
proving F h M : cr. □ 

Moreover, the following property holds: 

Lemma 2. F,x : A I- M :!cr implies x ^ FV(M). 

Proof. Easy, by induction on the derivation proving F,x : ^4 h M :!(t noticing 
that the only way to have a modal conclusion is by using the {sp) rule. □ 

In what follows, we will need to talk about proofs modulo some simple operations. 

Definition 3. Let H and II' be two derivations in STAb, proving the same 
conclusion. Then, 11 ^ 11' denotes the fact that 11' is obtained from 11 by commuting 
or deleting some rules or by inserting some applications of the rule (w) . 

The system STAb is not syntax directed, but the Generation Lemma shows 
that we can modify the derivations, using just commutation and erasing of rules, 
in order to connect the shape of a term with the shape of its typings. 
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Lemma 3 Generation lemma. 

(1) n>r h Ax.M : \/a.A implies there is 11', proving the same conclusion as 11 and 
ending with an application of rule {VI), such that 11 11'. 

{2) n > r h Ax.M : cr — o A implies there is II', proving the same conclusion as H 
and ending with an application of rule /), such that H '^-^ 11'. 

(3) n>r h M :!iT implies there is 11', proving the same conclusion as H, such that 
n ^ n' and n' consists of a subderivation, ending with the rule (sp) proving 
!r' h M :!(7, followed by a sequence of rules (w) and/or (m) dealing with variables 
not occurring in M. 

{4) ni>!r h M :!(T implies there is H' , proving the same conclusion as H and ending 
with an application of rule (sp), such that 11 ^ 11'. 

Proof. (1) By induction on 11. If the last rule of 11 is (V/) then the conclusion 
follows immediately. Otherwise consider the case Ay.M = Ay.N[x/xi, • • • ,x/x„] 
and n ends as: 

S > r, xi : (T, . . . , x„ : (T h Ay.N : Va.A 
r, X :!(7 h Ay.N[x/xi, • ■ • , x/x„] : \/a.A 

By induction hypothesis S S' ending as: 

Si > r, Xi : cr, . . . , x„ : a \- Ay.N : A 
r, xi : (7, . . . , x„ : (7 h Ay.N : Va.A 

Then, the desired 11' is: 

El > r, xi : cr, . . . , x„ : cr h Ay.N : A 
r,x:!ah Ay.N[x/xi,-- - ,x/x„] : A ^^^^ 
r, X :!(j h Ay.N[x/xi, • • • , x/x„] : Va.A 

The cases where 11 ends either by {VE) or (w) rule are easier. The other cases 
are not possible. 

(2) Similar to the proof of the previous point of this lemma. 

(3) By induction on H. In the case the last rule of 11 is {sp), the proof is obvious. 
The case where the last rule of 11 is {w) follows directly by induction hypothesis. 
Consider the case where M = N[x/xi, ...,x/x„] and the last rule is: 

Eo A,xi : T, ...,x„ : T h N :!cr 

( TTl I 

A,x :!t hN[x/xi,...,x/x„] :!a 

In the case xi, . . . , x„ ^ FV(N) the conclusion follows immediately. Otherwise, 
by induction hypothesis E Ei, where Ei is composed by a subderivation 9 
ending with a rule {sp) proving !Ai h N :!cr, followed by a sequence S of rules 
{w) or (m), dealing with variables not occurring in N. Note that for each Xj 
with 1 < i < n such that Xj e FV(N), necessarily Xj : t' € Ai and r =!t'. Let 
A2 be the context Ai — {xi : r', . . . ,x„ : r'}, then the conclusion follows by 
the derivation: 

A2,xi : r',. .. ,x„ : r' I- N : cr 

(m) 

A2, X :!r' h N[x/xi, • ■ • , x/x„] : a 

!A2,x:!ThN[x/xi,.-. ,x/x„] :\a ^^^^ 
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followed by a sequence of rules (w) recovering the context A from the context 
A2. The other cases are not possible. 

(4) By induction on 11. In the case the last rule of 11 is (sp), the proof is obvious. 
The only other possible case is when the last rule is (m). Consider the case 
where M = N[x/xi, x/x„] and 11 ends as follows: 



So the desired derivation 11' is 6, followed by a rule (m) and a rule {sp). In 

the case T is linear, by Lemma 2, x^ ^ FV(M) for each 1 < z < n. Moreover by 
the previous point of this lemma, E can be rewritten as: 



followed by a sequence 6 of rules, all dealing with variables not occurring in N. 
So S needs to contain some rules introducing the variables xi, ...,x„. Let 6' be 
the sequence of rules obtained from 6 by erasing such rules, and inserting a {w) 
rule introducing the variable x. The desired derivation 11' is Si followed by 5', 
followed by (sp). 



2.1 Subject reduction 

In order to prove subject reduction, we need to prove before that the system enjoys 
the property of substitution. This last property cannot be proved in a standard 
way, since the linearity of the axioms and the fact that the rule (m) renames 
some variables both in the subject and in the context. So, in order to prove that 
r, X ; /i h M ; (J and A h N : /i (r#A) implies F, A h M[N/x] : cr, we need to consider 
all the axioms introducing variables which will be renamed as x in the derivation 
itself. We need to replace each of them by a disjoint copy of the derivation proving 
A h N : /i, and finally to apply a siiitable mimbcrs of (m) rules. In order to 
formalize this procedure we need to introduce the notion of height of a variable in 
a derivation. 

Definition 4. Let 11 > F, x : r h M : cr. The height 0/ x m 11 is inductively 
defined as follows: 

— if the last rule of H is: 



E >!A, xi : T, x„ : T h N :!cr 
!A,x:!rl-N[x/xi,...,x/ x„J :'.a 



(m) 




El [> Ai h N : 0- 
!Ai h N :!(T 



(sp) 



□ 



{Ax) 



F' h N : a 



x: A\- x: A 



or T',x:A\-U:a 



then the height ofx inH is 0. 
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— if the last rule of 11 is: 

S >F,xi : r, ■ . ■ ,Xfc : T h M : Q- 
r',x:!r l-N[x/xi,...,x/xfc] : a 

then the height of x in U is the maximum between the heights of x, in S for 
1 < i < k plus one. 

— If X : T G r and the last rule of H is 

Sl>ri-M:B eol>ri-No:A ei>ri-Mi:A 
r h if M then Nq else Ni : A 

Then the height ofx inH is the maximum between the heights ofx in S, 6o and 
©1 respectively, plus one. 

— In every other case there is only one assumption with subject x both in the context 
of the conclusion of the rule and in the context of one of its premises S. Then 
the height ofx inH is equal to the height ofxinT, plus one. 

We can now prove the substitution lemma. 

Lemma 4 Substitution lemma. 
iei r, X : /z I- M : a and A h N : /x such that r#A. Then 

r, A h M[M/x] : a 

Proof. Let n and S be the derivations proving respectively r,x : /i h M : ct 
and A h N : yu. By induction on the height of x in n. Base cases (Ax) and {w) 
are trivial. The cases where H ends either by {—o I), {VI), (VE) or {-^ E) follow 

directly from the induction hypothesis. 

Let n ends by {sp) rule with premise n'l>r',x : jjl h M : tr'. Then by Lemma 
3.3, S E" which is composed by a subderivation ending with an [sp) rule with 
premise E' O A' h N : /i' followed by a sequence of rules {w) and/or (m). By 
induction hypothesis we have a derivation ©' O F', A' I- M[N/x] : a' . By applying the 
rule {sp) and the sequence of {w) and/or (m) rules we obtain 6>r,AI-M[N/x] -.a. 
Consider the case n ends by: 

no>r,x : /i h Mo : B Hi [> F, x : f- Mi : ^ Ha > F, x : h M2 : A 

F, X : /i h if Mo then Mi else M2 : A ^ ' 

Then by the induction hypothesis there are derivations 0o[>F, A h Mo[N/x] : B, 
61 > r, A h Mi[N/x] : A and 62 > r, A h M2[N/x] : A. By applying a {BE) rule we 
obtain a derivation O with conclusion: 

r,AI- if Mo[N/x] then Mi[M/x] else M2[N/x] -.A 

Consider the case H ends by: 

n' [> F, xi ;//,..., x^ : /x' h M : CT 

( in 1 

F, X :!^' h M[x/xi, • • • , x/xm] ■ a 

By Lemma 3.3 E ^ E" ending by an {sp) rule with premise E' > A' h N : /i' followed 
by a sequence of rules {w) and/or (m). Consider fresh copies of the derivation E' 
i.e. Ej- > A^- h Nj : [i' where Mj and A^- are fresh copies of N and A' (1 < j < m). 
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Let Xj be such that its height is maximal between the heights of all x^ (1 < j < m). 
By induction hypothesis there is a derivation: 

6i [> r, xi : /x', . • • , Xj-i : m'> ^i+i ■ IJ-' , ■ ■ ■ ,^m. ■ m', ^ M[Nj/xj] : a 

Then, we can repeatedly apply induction hypothesis to obtain a derivation 
9' > r, A'j, . . . , A'„ h M[Ni/xi,--- ,Nm/x„i] : a. Finally by applying repeatedly 

the rules (m) and (w) the conclusion follows. □ 

We can finally prove the main property of this section. 

Lemma 5 Subject Reduction. 
LetT\-H:a andn -^ps N. Then, T h N : ct. 

Proof. By induction on the derivation O > F I- M : cr. Consider the case of a 
— >-5 reduction. Without loss of generality we can consider only the case Q ends as: 



where b is either or 1. The others follow directly by induction hypothesis. If b = 
then if b then Mq else Mi -^s Mo and since Hq O F h Mq : A, the conclusion follows. 
Analogously if b = 1 then if b then Mq else Mi -^^ Mi and since Hi O F h Mi -.A, 
the conclusion follows. 

Now consider the case of a reduction. Without loss of generality we can consider 
only the case 6 ends as: 



where F = Fi,F2. The others follow directly by induction hypothesis. Clearly 
(Ax.M)N — M[N/x]. By Lemma 3.2 11^ Hi ending as 



By the Substitution Lemma 4 since 112 [> Fi, x : a h M : A and S [> F2 I- N : cr we 
have Fi, F2 h M[N/x] : A, hence the conclusion follows. □ 

It is worth noting that, due to the additive rule (B£), STAb is no more correct for 
polynomial time, since terms with exponential number of reductions can be typed 
by derivations with a priori fixed degree, where the degree is the nesting of (sp) 
applications. 

Example 1 . Consider for n e N terms M„ of the shape: 

(Af .Az.f"z)(Ax. if X then x else x)0 

It is easy to verify that for each M„ there exist reduction sequences of length expo- 
nential in n. 

2.2 Strong Normalization 

Strong normalization is proved by a translation, preserving reduction, of STAb in 
a slightly variant of Girard's System F [Girard 1972]. The variant we consider is 
showed in Fig. II and it differs from the original system since it has explicit rules 



ni>FI-b:B nol>FI-Mo:A ni>FI-Mi:^ 
F h if b then Mq else Mi : A 



{BE) 



n O Fi h Ax.M -.a^A I]|>F2l-N:cr 
Fi,F2 h (Ax.M)N : A 



n2 l>Fi,x : cr h M : A 
Fi h Ax.M : cr ^ ^ 
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^ rhpn-.B , ^ r,xi :A,X2 :A|-M:B 



x:A\-px:A^ ' r,x: AhpK: B ' T, x ; A h M[x/xi , x/x2] : B 
r,x:AI-FM:_B FhpM: B A\-fl:A 



ri-FAx.M:A^B ^ ' r,AI-FMN:B 

rhM:Va.B rhM:A g ^ FTV(r) 

^ r" i_ M . w^. /I \ ^ y 



r h M : B[A/a] ^ ' T h M : Va.A 



Table II. System F with explicit contraction and weakening rules 

for weakening and contraction. It is straightforward to prove that it shares all the 
properties of the original one, in particular strong normalization. 

Definition 5. The types of System F are defined by the following grammar: 

A,B ::= a\ A^B\ Ma.A 

where a ranges over a countable set of type variables. 

We firstly define a forgetful map over types and terms. 

Definition 6. The map (— )* is defined on types as: 

(B)* = Va.a ^a^a (a)* =a {a ^ A)* = {a)* ^ {A)* 

(!ct)* = ((t)* (Va.A)* = ya.{A)* 

and it is defined on terms as: 

(0)*=Axy.x (1)* = Axy.y ( if M then Mi else M2 )* = (M)*(Mi)*(M2)* 

(Ax.M)* = Ax.(M)* (MN)* = (M)*(N)* 

The following lemma assures that the translation well behaves. 

Lemma 6. //r h M : ct then (r)* (M)* : (tr)*. 

Proof. By induction on the derivation 11 proving F h M : cr. 
Let us consider base cases. The {Ax) case is trivial. Consider the case 11 consists 
in the rule 

Then we have the following derivation 

r {Ax) 

X : a hi? X : a , , 

r {w) 

y : a, X : a rp x : a / 

— ^ I) 

■X.: a^F Ay.x : a 

\-F Axy.x : a => a => a . ,J. 

— (V7) 

\-F Axy.x : Va.O! a a 

The case 11 consists in the (Bi/) rule is similar. The case 11 ends by {sp) rule follows 
directly by induction hypothesis. The cases where 11 ends either by a (—0 /), (—0 E) 
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or (w) rules follow by induction hypothesis and an application of the same rule in 
System F. In the case 11 ends as 

rhM:B ThNp:^ ThNiiA 
r h if M then Mq else Mi : ^ ^ ' 

we have a derivation ending as: 

(r)* hi. (M)* : (B)* = Va.a ^a^a 

(r)* \-F (M)* : (A)* ^ (A)* ^ (A)* (r)* hp (No)* : {A)* 

(r)* hp (M)*(No)* : (A)* ^ (A)* (r)* hF (Ml)* : {A}* 

(r)* hi. (M)*(No)*(Ni)* : (A)* 

□ 

Moreover, the translation preserves the reduction. 
Lemma 7 Simulation. The following diagrams commutes 

M -^135 M 
I* i* 
(M)* ^+ (N)* 

Proof. The case of a ^-reduction is trivial, so consider a ^-reduction as: 
M = R[ if then P else Q ] -^s R[P] = N 
the other case is analogous. By definition of the map ( )* we have: 

(M)* = (R[ if then P else Q ])* = R'[(0)*(P)*(Q)*] = R'[(Ax.Ay.x)(P)*(Q)*] 
and clearly: 

R'[(Ax.Ay.x)(P)*(Q)*] R'[(Ay.(P)*)(Q)*] R'[(P)*] = (N)* 

and so the conclusion. □ 

Now, we have the following. 

Theorem 1 Strong Normalization. 
Ifr\-K:a then M is strongly normalizing with respect to the relation -^0s- 

Proof. By Lemmas 6 and 7 and the strong normalization of System F. □ 
3. STRUCTURAL OPERATIONAL SEMANTICS 

In this section the operational semantics of terms of Ag is presented, through an 
evaluation machine, named Kg, defined in SOS style [Plotkin 2004; Kahn 1987]. 
The machine Kg is related to the type assignment system STAb since it evaluates 
programs (i.e., closed terms of boolean type). The machine allows us to measure 
the space used during the evaluation. In order to justify our space measure, a small 
step version of Kg is used. 
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3.1 The evaluation machine Kg 

The machine Kg evaluates programs according to the leftmost outermost strategy. 
If restricted to A-calcuhis, the machine Kg is quite similar to the Krivine machine 
[Krivine 2007] , since /3-reduction is not an elementary step, but the substitution of 
a term to a variable is performed one occurrence at a time. The machine Kg uses 
two memory devices, the m-context and the B-context, that memorize respectively 
the assignments to variables and the control flow. 

Definition 7. 

— An m-context A is a sequence of variable assignments of the shape x := M where 
M is a term and all the variables are distinct. The symbol e denotes the empty 
m-context and the set of m- contexts is denoted by CtXm- 

The cardinality of an m-context A, denoted by 4/={A), is the number of variable 
assignments in A. The size of an m-context A, denoted by \A\, is the sum of the 
size of each variable assignment in A, where a variable assignment x := M has 

size |Mj + 1. 

— Let o be a distinguished symbol. The set Ctxe of B-contexts is defined by the 
following grammar: 

C[o] ::= o I ( if C[o] then M else N )Vi ■ • • V„ 

The size of a 'B-context C[o], denoted by \C[o]\, is the size of the term obtained 

by replacing the symbol o by a variable. 

The cardinality of a B-context C[o], denoted by #(C[o]), is the number of nested 
B-contexts in it. i.e.: 

#(o) = #(( if C[o] then M else N )Vi • ■ • V„) = #(C[o]) + 1 

It is worth noticing that a B-contexts C[o] can be seen as a stack of atomic contexts 
where its cardinality #(C[o]) is the height of such a stack. 

Notation 3. The notation Ai@A2 is used for the concatenation of the disjoint 
m-contexts Ai and A^. Moreover, [x := M] G ^ denotes the fact that x := M is in 
the m-context A. The notation FV(^) identifies the set: U[x =M]e^^^(^)- 
As usual, C[M] denotes the term obtained by filling the hole [o] in C[o\ by M. In 
general we omit the hole [o] and we range over B-contexts by C. As expected, 
FV(C) denotes the set FV(C[M]) for every closed term M. 

Note that variable assignments in m-contexts are ordered; this fact allows us to 
deflne the following closure operation. 

Definition 8. Let A = {xi := Ni,...,x„ := N„} be an m-context. Then, 
(— : Ag Ag is the map associating to each term M the term (M)-^ = 
M[N„/x„][N„_i/x„_i]---[Ni/xi]. 

The correct inputs for the machine are programs, deflned as follows. 

Definition 9. The set V of programs is the set of closed terms typable by the 
ground type. i.e. P = {M | h M : B}. 

The design of the evaluation machine follows the syntactic shape of programs. 
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C, ^ 1= b ^ b 



{Ax) 



C, A@{yi' := N} h M[x7x]Vi ■ ■ • J| b 
C,^h(Ax.M)NVi---V„|lb 



{x:=N}e^ C,^ h NVi ^b 
C,^^xVi---V„J|b 



{h) 



C[{ if [o] then No else Ni )Vi • • • V„], ^ M C, ^ h NqVi • ■ • V„j J| b 
C, ^ 1= ( if M then Nq else Ni )Vi • • • V„ JJ- b 



(if 0) 



C[( if [o] then No else Ni )Vi • • ■ V™], ^ |= M J| 1 C, ^ |= NiVi • ■ • V„j JJ. b 
C, ^ 1= ( if M then No else Ni )Vi • • ■ V„j J| b 



(if 1) 



(§) x' is a fresh variable. 



Table III. The Abstract Machine K£ 



Remark 1. It is easy to check that every term has the following shape: 
Axi...x„.i^Vi ■■■Vm, for some n,m > 0, where ( is either a boolean, h, a variaMe 
X, a redex (Ax.N)P, or a subterm of the shape if P then No else Ni . It is imme- 
diate to check that, if a term is in V, then n = 0. Moreover, if a term in V is a 
normal form, then it coincides with a boolean constant h. 

The evaluation machine Kg proves statements of the shape: 



where C, A are a B-context and a m-context respectively, M is a term, and b is a 
boolean value. Its rules are listed in Table III. They need some comments, we 
describes the rules bottom-up. The {Ax) rule is obvious. The {(5) rule applies 
when the head of the subject is a /3-redex, then the association between the bound 
variable and the argument is remembered in the m-context and the body of the term 
in functional position is evaluated. Note that an a-rule is always performed. The 
{h) rule replaces the head occurrence of the head variable by the term associated 
with it in the m-context. Rules ( if 0) and ( if 1) perform the 5 reductions. In 
order to evaluate the test M, a part of the subject is naturally erased. This erased 
information is stored in the B-context, indeed B-contexts are stacks that permits 
to store all the branches of a computation produced by conditionals. When the 
evaluation of the test M of the current conditional is completed, the machine pops 
the top B-context and continues by evaluating the term in the right branch of 
the computation. The behaviour of the machine Kg is formalized in the following 
definition. 

Definition 10. 

{!) The evaluation relation D-C CtxB x Ctxm x Ag x B is the relation inductively 
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1= JJ, 


c6l>Co, A'i 1= J| 


C2.A4 


h J|o 


Ai 


1= J| 


Ci,A:>, 


1= 21 j; 


Co, As 1= zi J| 


C2.A1 


1= zi ^ 


Ai 


1= zi \\. 


Ci,A3 


h X2 4 


Co,^3 ^^2^0 


C2, Ai 




Ai 





C{)^Az 1= if X2 then X2 else X2 JJ- Ai \= if X3 then X3 else X3 JJ, 



C01A2 \= (Ax. if X then x else x)zi JJ- A2 \= (Ax. if x then x else x)zi JJ- 
Co. .42 h fiZiTo A h f izi Jfo" 

Co. ^2 1= xi Ji r t> ^2 1= xi JJ 

A2 \= if xi then xi else xi |J 
Ai 1= (Ax. if X then x else x)(f iZi) J). 
Ai hfi(fizi)^0 

A 1= (Az.fi(fiz))0 JIO 

1= (Af .Az.f ^z)(Ax. if x then x else x)0 JJ- 



^0 


= [f 1 := Ax. if x then x else x] 


Co 


= if 





then xi else xi 


Ai 


= A@[zi := 0] 


Ci 


= Co[ 


if 


then X2 else 


A2 


= A@[xi := fizi] 


C2 


= if 





then X3 else X3 


As 


= ^2@[x2 := zi] 










Aa 


= ^2@[x3 := zi] 











Table IV. An example of computation in Kg. 

defined by the rules o/Kg. //M is a program, and if there is a boolean b such 
that o,e \= M \i. b then we say that M evaluates, and we write M JJ-. As usual, 
1= M JJ- 6 is a short for o, e ^ M JJ- 6. 

{2) Derivation trees in the abstract machine are called computations and are de- 
noted by V, O. We use V :: C,^ |= M JJ- b denote a computation with 

conclusion C, ^ ^ M JJ b. 

(5) Given a computation V each node ofV, which is of the shape C, .A ^ M JJ b is a 
configuration. The notation C,.4.|=MjJ-bGV«s used to stress that C,A ^ M 
b is a configuration in the computation V. Configurations are denoted by (j),^. 
The notation C,A\=y\. means that 4> is the configuration C, .4, ^ M Jl- b. 
The conclusion of the derivation tree is called the initial configuration. 

{4) Given a computation V, the path to reach a configuration <p denoted pa.th-^{(p) 

is the sequence of configurations between the conclusion of V and (j). In general, 
we simply write path(0) when V is clear from, the context. 

In Table IV we present an example of Kg computation on a term M2 as defined in 
Example 1. 
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In order to prove that the machine is sound and complete with respect to pro- 
grams, we need to prove some additional properties. First of all, the next lemma 
proves that the machine enjoys a sort of weakening, with respect to both contexts. 

Lemma 8. (1) Let C[o], A \=n ij^h. Then, for every C'[o] such that {C [C[n]])'^ G 
V, C'[C[o]],^^M^b. 
{2) Lety ■.■.C,A\=n]^h and x be a fresh variable. Then, V :: C, >l@{x := N} |= 
M JJ-b 

Proof. Both points can be easily proved by induction on the computation. □ 

Lemma 9. 

{1) LetC,A^V[\\.b and let (C[M])'^ e V. Then, both (M)-^ ^.^^ b and (C[M])-^ ^-^^ 
b', for some b'. 

{2) LetneV and V ::|= M H b. For each > C,^ |= N JJ. b' e V, (C[N])-^ e V. 
(5) Let (M)-^ e V and (M)-^ b. Then, o, >l |= M JJ. b. 

Proof. 

(1) First of all, the property (C[M])-^ ~^*0S ^'■> some b' derives directly from 
the fact that (C[M])-^ e P. In fact this implies (C[M])'^ is a closed strongly 
normalizing term of type B, and so its normal form is necessarily a boolean 
constant. So in what follows we will prove just that C, ^ ^ M JJ- b and (C[M])-^ G 
V implies (M)-^ -J-^^ b. Note that if (C[M])-^ e V then clearly (M)-^ e V. We 
proceed by induction on the derivation proving C, ^ ^ M JJ. b. Let the last rule 
be: 

cHAFblb ^^''^ 

Obviously (b)"^ — >-^^ b. Let the derivation ends as: 

C, A@[x' := N] \= P[x7x]Vi • ■ • ^ b 
C,A\= (Ax.P)NVi • • • V„ J| b 

By induction hypothesis (P[x7x]Vi • ■ • V^)-^®!^'-"! -^-^^ b. Clearly since x' is 

fresh: 

(P[x7x]Vi • . .V„)^®[^ -"1 = ((P[x7x]Vi • • • V„)[N/x'])-^ ^ (P[N/x]Vi • • • V„)-^ 
hence: 

((Ax.P)NVi • • • V™)-^ ^fis (P[N/x]Vi • • • V^)-^ b 

and the conclusion follows. The case of a rule (h) follows directly by induction 

hypothesis. 

Let the derivation end as: 

C\A^P\l-0 C,.A^NoVi---V^ J|b 
C, ^ 1= ( if P then Nq else Ni )Vi • ■ • V„ ||. b ^ ^ ^ 

where C = C[{ if [o] then Nq else Mi )Vi---Vm]. By induction hypothesis 
(P)"^ ->-^5 0, hence: 

(( if P then Nq else Mi )Vi • • • V^)-^ -^}s (( ^^^^ else Mi )Vi • • • V„)-^ 
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and by 6 reduction 

(( if then No else Ni )Vi ■ • ■ V„)-^ -^s (NqVi • ■ • V„)-^ 

moreover, since by induction hypothesis we also have (NqVi • • • Vm)'^ ~^*^5 ^' 
conclusion follows. The case of rule (if 1) is analogous. 

(2) Easy, by induction on the length of path((/)). 

(3) The proof is by induction on the number of steps needed to reach the normal 
form b of (M)-^ according to the leftmost strategy. Since (M)-^ is strongly 
normalizing this is clearly well-founded. 

If (M)-^ is already in normal form, since it is must be typable of type B then 
M = b, and the result is trivial. Otherwise (M)-^ cannot be an abstraction, since 
its typing, so it is an application NQVi...Vm. 

Suppose N = Ax.R. There are two cases, either (M)-^ = ((Ax.R')Q'Vi...V^)-^ or 
(M)-^ = (yQ'v;...V;„)-^ and {y := Ax.R'} G A. 

Let us consider the first case. Then ((Ax.R')Q'V'j...V^)-^ 
(R'[Q7x]v;...v;„)-^ = (R'[x7x]v;...V',„)-^®{^'^=«'>. By induction hypothesis 
we have [o],^@{x' := Q'} |= R'[x7x]Vi...V^ JJ. b and so the result follows by 
rule 

In the second case, since {y := Ax.R'} € A, then {yQ'V'i...V'„^)-^ 
(R'[Q'/x]V'i...v;„)-^ = (R'[x'/x]Vi...v;„)-^®{'='^='^'>. By induction hypothesis 
[o],^@{x' := Q'} 1= R'[x'/x]V'i...v;„ i}. b, so by one application of the rule 
[o],^ 1= (Ax.R')C!'V'j...V'„ J| b. Finally, by one application of the rule {h), since 
{y := Ax.R'} G A, we have [o],^ |= yQ'Vi...v;„ J| b. 

The remaining case is the one where N = if M' then Mg else N'j^ . 
By definition (M)"^ = (( if M' then N[, else N'^ )q'v;...v;„)-^ = 
( if (M')-^ then (N(,)-^ else (N'J-^ ){Q')^{V[)^...iy'J^. Since (M)'^ G P, 
h (M)"^ : B, so, by the strong normalization property, (M)"^ — >^^^ b. This 
implies either (M')-^ = b' or (M')-^ -^pg W for some b'. Let us consider the 
latter case. The number of reduction steps of the sequence (M')'^ ^*j5 b' is 
shorter than that one of (M)-^ — b, so by induction [o] , ^ |= M' J], b' , and, 
by Lemma 8.1, ( if [o] then else N'^ )CJ'V'i...v;„, ^ \= W i}- W . Without 
loss of generality, we consider only the case where b' = 0. Then (M)-^ ~^*f;s ^ 
implies {ll'oQ'V[..y^)-^ b, so by induction [o],^ \= N'^^'Y^.-.Y'^ 4 b, and 
the result follows by rule ( if 0). The case (M')"^ = b' is easier. The case 
(M)-^ = (yQ'v;...v;„)-^, and (y := if M' then else N'^ ), is similar, but both 
rules (h) and ( if ) must be used. □ 

Then we can state the soundness and completeness of the evaluation machine Kg 
with respect to the reduction on programs. 

Theorem 2. LetneV . Then: 

(1) // 1= M J| b then M b 
{2) Ifn b then |= M J| b 

Proof. 

(1) It follows directly by Lemma 9.(1). 
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(0)^ 

{S,C,A>- (Ax.M)NVi---V^) (5,C,y4@[x' :=N] M[x7x]Vi ■ ■ ■ V™) ^'^^ 



[x := N] G 5 ■ ^ 



(if) 



(5, c, ^ xVi • • • V™) 1-^ (5, c, ^ NVi • • • v„) 

C = C[( if [o] then No else Hi )Vi • • • V„] 
(5, C, yl ^ ( if M then No else Ni )Vi • • • V™) i-^ (5 • A, C, e y W.) 

{S ■ A,C[{ if [o] then No else Ni )Vi • • • V„],^' >- 0) h^- {S,C,A >- NqVi • • - Vn) ^^"'^ 

^ [ri) 

(5-^,C[( if [o] thenNo else Ni )Vi---V„],^' ^ 1) 1-^ (5,C,yt^NiVi---Vn) 

(§) x' is a fresh vaxiable. 



Table V. The small step machine kg 

(2) It follows directly by Lemma 9.(3). □ 
3.2 A small step version of 

The proof that programs arc evaluated by the machine Kg in polynomial space 
needs a formal definition of the space consumption, which in its turn needs a deep 
investigation on the machine behaviour. In fact, we will explicitly show that com- 
putations in the machine Kg can be performed with no need of backtracking or 
complex state memorizations. 

For this reason, in Table V we depict a small step abstract machine kg that is able 

to reduce sequentially programs in STAb following a leftmost outermost strategy 
and that exploit a use of contexts similar to the one implemented by the machine 
Kg. The rules are similar to the ones in Table III but we need a further stack in 

order to maintain the desired complexity property. 

In what follows we show that every big step computation has its small step cor- 
respondent. So, the small step machine by making explicit the evaluation order 
clarifies the fact that every configuration depends uniquely on the previous one 
(thanks to the use of contexts). From this we can deduce that the space needed in 
order to evaluate a program is the maximum space used by one of its configurations. 
The big step machine has the advantage of being more abstract and this makes it 
easy to prove the complexity properties. In fact, the use of a further stack makes 
more difficult the proofs of such properties for the small step machine. For this 
reason in what follows we prefer to work on the big step machine. In order to 
state formally the behaviour of the machine kg we need to define a further stack 
containing m-contexts, this is done in the following definition. 

Definition 11. 

— An m-stack S is a stack of m-contexts. The symbol e denote the empty m-stack. 
The expression S ■ A denotes the operation of pushing the m- context A on the 
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m-stack S. The set of m-stacks is denoted by Stkm. The expression S denotes 
the m-context obtained by concatenating all the m-context in S, i.e. e = e and 
S~A = S@A. 

— The reduction relation \-^C (Stkm x CtxB x CtXm x Aq) x (Stkm x Ctxe x CtXm x 
Ag) is the relation inductively defined by the rules o/kg. The relation i->-* is the 

reflexive and transitive closure of the reduction relation H-. 

J/M is a program, and if there is a boolean b such that (e, o, £ :^ M) i— >■* (e, o,A>-b) 
for some A, then we say that M reduces to b, and we simply write M b for 
short. 

We now prove that wc have a direct correspondence between the configurations of 
a computation in the big step machine and the small step machine configurations. 
Given a big step abstract machine derivation V ::|= M JJ- b, we can define a trans- 
lation (— )^ assigning to each configuration (/)^C,^|=NjJ-b'sVa small step 
abstract machine configuration {S,C,A' >- N) such that S ■ A' = A. Let (— )^ be 
inductively defined, for every configuration ^ e V, on the length n of path^((j!)) as: 

— if n = 1 then 

(o,e^M-llb)^ = (e,o,e>-M) 

— if n = m+1 then for some ip we have path^ (^) = path^ (ip) + 1 and in particular 
we have a rule (i?) like the following 

Ci,.4ihNi^bi ■■■ Ck,Akh^kii-^k , . 

ij>C,A^Nii.h ^ ^ 

for 1 < A: < 2 where the length of pa.th.y{tp) is m and <j) is one of the premise 
configurations of {R). We now proceed by case on (R). 
If (i?) is the rule: 

(t)yC, A@{x' := N} h M[x7x]Vi ■ • ■ V„ J| b 
V' ^ C, ^ 1= (Ax.M)NVi • • • V,„ J| b 

Then, by induction hypothesis we have {ipy = {S,C,A! >- (Ax.M)NVi • • • such 
that >S • .4.' = ^, so we can define 

= (5,C,^'@[x' := N] ^M[x7x]Vi---V„) 



and clearly S ■ (^'@{x' := N}) = ^{x' := N}. 
If {R) is the rule: 

{x := N} g ^ (/> ^ C, ^ h NVi • ■ • j| b 

V'>-C,^^xVi---V„ J|b ^ ^ 

Then, by induction hypothesis we have [ij^Y = {S,C,A! >- xVi • • • V^) such that 
>S • = ^ so we can define 

i^r = {S,C,A' ymi---Vm) 

If {R) is the rule: 

C[( if [o] then No else Ni )Vi ■ ■ -V^],^ ^ M J| C, ^ |= NpVi • ■ • J| b . ^ 

^^C,^|= ( if MthenNo else Ml )Vi---V„-llb ^ 
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by induction hypothesis {ipy = {S,C,A' ( if M then Nq else Ni )Vi • --Ym) 
such that S ■ A' = A and we have two distinct cases. Consider the case that 
(/)>-€[{ if [o] then Nq else Ni )Vi ■ • ■ Vm\,A |= M ^ 0, then we can define 

{(py = {S ■ A',C[{ if [o] then Nq else Ni )Vi ■ • ■ V™],e !- M) 

Analogously, ii (f)>C,A\= NqVi • • • JJ- b then we can define 

{<f>y = {S,C,A'yNoVi---Vm) 

The case (R) is the rule ( if 1) is similar. 

The translation defined above is useful in order to state the correspondence between 
the big step and the small step machine. In order to establish this correspondence 
we need to visit the evaluation trees of the big step machine computation following 
a determined visiting order. In particular, we consider the left-depth-first visit. 
E.g. consider the following tree: 



9 h 




d I 



the left-depth-first visit coincides with the visit of the nodes in the alphabetical 
order. Below, we need to talk about the visit of nodes in a given computation 
V :: 1= M JJ. b. For this reason, we say that a configuration tj) immediately follows 
a configuration (f) if the node visited after (/) for left-depth-first visit is the node 
For instance, the node i immediatly follows the node h in the above figure. 
Now we can state an important result. 

Lemma 10. Let V :: |= M .y, b and let <p,tl) € V be two distinct configurations (i.e. 
(p^ ip) such that tjj immediately follows cp in the left- depth- first visit ofV. Then: 

{<py ^ {i;y 

Proof. We proceed by induction on the height of V. The base case is easy, since 
V is an application of the (Ax) rule, hence there are no configurations (p,tp £ V 
such that (p ^ xp. Consider now the case where the height of V is greater than 
1. If the rule with conclusion (p is not an axiom, then i]j coincides with one of its 
premises. Let us consider all possible cases. Consider the case where the rule with 
conclusion (p is Then, we are in a situation as: 

ij>C, A@{yi' := N} \= P[xVx]Vi • • ■ ^ b 
(?i^C,^|= (Ax.P)NVi---V„ J|b 
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then 



(<^)" = (<S, C, A' >- (Ax.P)NVi • • • V™) ^ 

(5, C, ^'@{x' N} y P[x7x]Vi ■■■Vm) = {tpy 



where A = S ■ A' . Consider the case where the rule with conclusion is: 
{x := N} G ^ V ^ C, ^ 1= NVi • • • V„ ^ b 

V C, ^ 1= xVi • ■ • V„ II b ^ ' 

then 

(<^)^ = (5, C, A'yxVi--- V„) ^ (5, C, A'yMi--- Vm) = (V')' 



thanks to the fact that {x := N} G A = S ■ A'. 
If the rule with conclusion (j) is: 

V'^C[( if [o] thenNo elseNi )Vi---V„],^^Nj|0 C, ^ ^ NqVi • ■ • V„ ^ b 

(^^C,^ 1= ( if N then No else Ni )Vi • • -Vm J|b ' 

then 

{(j)y = {S, C, ( if N then No else Ni )Vi • • ■ V„) 

1-^ {S, C[ if [o] then No else Ni )Vi • • • Ym],A' ^ N) = {tpy 

The case of the rule ( if 1) is analogous. 

Now consider the case <p is the conclusion of an axiom rule, i.e.: 

<l>>C,A^hi^h ^^^^ 

If C is empty, then is the last configuration in the left-depth-first visit of V, hence 
there is no configuration tp G V following (p such that (p ^ ip. Otherwise, V has a 
subderivation O of the shape: 

{Ax) 



>>C,A\=\>]\.\> 

: V^C',^' HNbVi---V„|lb' 



7 ( if b) 



(p' > C, ^' 1= ( if N then Nq else Ni )Vi • ■ • J| b' 

where by definition of left-depth-first visit ip is the configuration following (p. 
Note in particular that path^(0) does not cross any if -rule by following its 
left premise. In particular, by definition of the translation (— )^ this means 
that if {(p'y = {S,C,A' ( if N then No else Ni )Vi then {dy = 

{S ■ A',C[{ if [o] then No else Ni )Vi • • • Vm.],A" y b) for some A" so in particular 
we have 

{(py = {S-A',C[{ if [o] then No else Ni )Vi ^" >- b) 

^ (5,c,^' ^NbVi = i^y 

and the proof is given. □ 

We can now use this result to prove that computations in the big step machine 
correspond to computations in the small step one. 
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Theorem 3. LetneV. Then: 

^ M JJ- b implies K ^* h 

Proof. By repeatedly applying Lemma 10. □ 

A converse of the above lemma can be easily obtained. Nevertheless, the previous 
result is sufficient in order to show that our space measures are sound. Indeed, 
Lemma 10, if repeatedly applied, allows us to define the execution in the Kg ma- 
chine as a sequence of configurations corresponding to the left-depth-first visit of 
the derivation tree. Moreover, since clearly in the small step machine every step 
depends only on the previous one, the definition of the translation (— )® and Lemma 
10 imply that also in Kg every execution step depends only on the previous one. 

Example 2. By returning to the computation example in Table IV, it is worth 
noting that to pass from the configuration (j) to the configuration ip all necessary 
information are already present in the configuration (j) itself. We can view such a 
step as a — >5 step ( if then xi else xi (xi)-^^ noting that (xi)-^^ = 

(xi)-^^ 

In fact, the behaviour shown in the above example can be generalized, so in this 
sense we don't need neither mechanism for backtracking nor the memorization of 
parts of the computation tree. Using this property, we can define in a similar way 
the notion of space used to evaluate a term in the two machines. Let us first define 
the size of a configuration in both the machines. 

Definition 12. 

{!) If {S,C,A y K) is a configuration in kg, then its size is \S\ + \C\ + \A\ + |M|. 

(2) If 4) :^ C, A \= K il- h is a configuration in Kg, then its size (denoted by \^\) is 
\C\ + \A\ + |M|. 

We can now define the required space in both the machines as the maximal size of 
a configuration in the computation. 

Definition 13. 

{1) Let (e, [o],e >- M) ^-^* h be a computation in kg. Then its required space, 
denoted by spaceg(M), is the maximal size of a configuration in it. 

(2) Let V :: [o]. e ^ M J| b 6e a computation in Kg. Then its required space, 
denoted by space(M), is the maximal size of a configuration in V. 

We can now show that the relation on the required space of the two machines is 
the expected one. 

Lemma 11. Letn^V. Then: 

spacejj(M) < space(M) 

Proof. By definition of the translation (— )^ and Lemma 10. □ 

So from now on we can restrict our attention to prove the polynomial space measure 
soundness in the case of the big step evaluation machine. 
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3.3 Space Measures 

In this subsection we will connect the space measure of the big step machine with 
the one of the typable term to be evaluated. In particular, we emphasize the 
relations between machine computations and type derivations. 
In what follows we introduce some relations between the size of the contexts and 
the behaviour of the machine, which will be useful later. 

Definition 14. Let V be a computation and e V a configuration. Then: 

— the symbol i^0{(t>) denotes the number of applications of the rule in path(^), 

— the symbol =ffh{4') denotes the number of applications of the (h) rule in path(0), 

— the symbol #if((/>) denotes the number of applications of {it 0) and (if 1) rules 
in path(^). 

The cardinality of the contexts in a configuration is a measure of the number of 
some rules performed by the machine in the path to reach ^. 

Lemma 12. Let V:: ^ M b be a computation. Then, for each configuration 

{2) #(C,) = 
Proof. 

(1) Easy, by induction on the length of path((/)), since m-contexts can grow only 
by applications of the rule. 

(2) Easy, by induction on the length of path((/)), since B-contexts can grow only 
by applications of ( if 0) and ( if 1) rules. □ 

The following is a key property for proving soundness. 

Property 1. Let n G V and S/ :: \= M i^. h then for each ^ ^ C, ^ ^ P JJ- b' G V i/ 
{xj := Nj} G A then Nj is an instance (possibly with fresh variables) of a subterm 
ofM. 

Proof. The property is proven by contradiction. Take the configuration ip with 
minimal path from it to the root of V, such that in its m-context A^ there is 
Xj := Mj, where Nj is not an instance of a subterm of M. Let p be the length of this 
path. Since the only rule that makes the m-context grow is a rule we are in a 
situation like the following: 

ip^C, A'@{xj := Nj} [= P[xj/x]Vi • • • V„ ^ b 
C,A' \= (Ax.P)NjVi • ■ • V„ JJ. b 

If Nj is not an instance of a subterm of M it has been obtained by a substitution. 
Substitutions can be made only through applications of rule (h) replacing the head 
variable. Hence, by the shape of (Ax.P)NjVi the only possible situation is 

that there exists an application of rule {h) as: 

[y:=M^]G.4^ C,^^ ^MYi---V^„^b 
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with Nj a subterm of M'. But this imphes M' is not an instance of a subterm of M 
and it has been introduced by a rule of a path of length less than p, contradicting 
the hypothesis. □ 

The next lemma gives upper bounds to the size of the m-context, of the B-context 
and of the subject of a configuration. 

Lemma 13. Let M G V and V ::|= M b then for each configuration (f)>C,A \= 
P J| b' e n.- 

(1) \A\<#p{ci>m + ^) 

(2) |P| + 1)|M| 

(5) |C| <#if(0)(max{|N| | ^ ^ C, ^' ^ N ^ b" G path(0)}) 
Proof. 

(1) By inspection of the rules of Table III it is easy to verify that m-contexts can 
grow only by applications of the (^) rule. So the conclusion follows by Lemma 
12.1 and Property 1. 

(2) By inspection of the rules of Table III it is easy to verify that the subject 
can grow only by substitutions through applications of the (h) rule. So the 
conclusion follows by Property 1. 

(3) By inspection of the rules of Table III it is easy to verify that B-contcxts can 
grow only by applications of (if 0) and (if 1) rules. So the conclusion follows 
directly by Lemma 12.2. □ 

4. PSPACE SOUNDNESS 

In this section we will show that STAb is correct for polynomial space computations. 
The degree of a type derivation, i.e. the maximal nesting of applications of the rule 
{sp) in it, is the key notion in order to obtain the correctness. In fact, we will prove 
that each program typable through a derivation with degree d can be executed on 
the machine Kg in space polynomial in its size, where the maximum exponent of 
the polynomial is d. So, by considering fixed degrees we get PSPACE soundness. 
Considering a fixed d is not a limitation. Indeed until now, in STAb programs we 
have not distinguished between the program code and input data. But it will be 
shown in Section 5 that data types are typable through derivations with degree 0. 
Hence, the degree can be considered as a real characteristic of the program code. 
Moreover, every STAb program can be typed through derivations with different 
degrees, nevertheless for each program there is a sort of minimal derivation for it, 
with respect to the degree. So, we can stratify programs with respect to the degree 
of their derivations, according to the following definition. 

Definition 15. 

{1) Let n be a type derivation. The degree of II, denoted d(n) is the maximal 
nesting of applications of rule {sp) inU. It is inductively defined on the height 
of n as follows: 

— if n consists of a {Ax) or of a (Bb/) rule then d(n) = 
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-if n ends by a rule 

where (R) G {{w), 7), (m), (V£;), (V/)} i/ien d(n) = d(S) 
-//n ends 6t/ a rule 

E[>ri-M:fT-^ A ei>AI-N:cT 



r, A h MN : A 



i/ien d(n) = max{d(S), d(e)} 
-If n ends 62/ a rule 

S>rhM:B eol>rhNo:cr eiOThNiro- 
r h if M then No else Ni : a 

then d(n) = max{d(S), d(eo), d(ei)} 
-ifn ends by a rule 

Sor h M : cr 



(BE) 



!r h M :\a 



(sp) 



then d(n) = d(i;) + 1 
{2) For each d g N the set Vd is the set o/STAb programs typable through deriva- 
tion with degree d. 

Pd = {M| n>hM:B A d(n) = d} 

Clearly V corresponds to the union for n € N of the different Vn- Moreover if 
M e then M G for every e > d. 

This section is divided into two subsections. In the first, we will prove an in- 
termediate result, namely wc will give the notion of space weight of a derivation, 
and we will prove that the subject reduction does not increase it. Moreover, this 
result is extended to the machine Kg. In the second subsection, the soundness with 
respect to PSPACE will be proved. 

4.1 Space and STAb 

We need to define measures of both terms and proofs, which are an adaptation of 
those given by Lafont in [Lafont 2004]. 

Definition 16. 

— The rank of a rule {m): 

r, xi : g, . . . , x„ : cr I- M : /X 
r, X :!cr h M[x/xi, • • • , x/x„] : 

is the number k < n of variables Xj such that Xj belongs to the free variables of 
M. Let r be the the maximal rank of a rule (m) in 11. Then, the rank of H is 
rk(n) = max(r, 1). 

— Let r be a natural number. The space weight 5(n, r) of 11 with respect to r is 
defined inductively as follows: 
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-IfH consists of a {Ax) or of a (Btl) rule, then (5(11, r) = 1. 
-IfH ends by a rule 



r h Ax.M : cr 



H I) 



then S{U,r) = 5(1], r) + 1. 
-IfH ends by a rule 



!rhM:!a ^'P^ 



then S{U,r) = r5{E,r). 
-IfH ends by a rule 

I]>rhM:/i^A e[>AI-N:/z 
r, A h MM : A 



then 6{U, r) = 6{^, r) + 6{&, r) + 1. 
— Ifn ends by a rule 

S[>rhM:B eo>ri-No:A ei>ri-Mi:yl 
r h if M then Nq else Ni : A 

then (5(n,r) = max{(5(S, r), 5(90, r), 5(91, r)} + 1 
— In any other case 5(11, r) = 5(S,r) where E is the unique premise derivation. 

In order to prove that the subject reduction does not increase the space weight of 
a derivation, we need to rephrase the Substitution Lemma taking into account this 
measure. 

Lemma 14 Weighted Substitution Lemma. Let Il\>T,x : ^ \- H : a and 
E>A I- N : /z such that T#A. There exists 9[>r,A h M[N/x] : a such that if 
r > rk(n); 

5(6, r) < 5(n,r) +5(S,r) 

Proof. It suffices to verify how the weights are modified by the proof of Lemma 
4. We proceed by induction on the height of x in 11. Base cases arc trivial and 
in the cases where 11 ends by (^ /), (V/), (Vi?) and {-^ E) rules the conclusion 
follows directly by induction hypothesis. 
Consider the case 11 ends by: 

n' l>r',x : /i' h M : ct' 

r,x:/xhM:a ^'P' 

Then by Lemma 3.3 E E" which is composed by a subderivation ending with 
an {sp) rule with premise E' [> A' h M : /z' followed by a sequence of rules {w) 
and/or (m). By induction hypothesis we have a derivation G' > F', A' h M[N/x] : cr'. 
By applying the rule {sp) and the sequence of {w) and/or (m) rules we obtain 
e>r,A h M[N/x] : £7. Now, 5(n,r) = r5(n',r) and 5(E,r) = r5(E',r). By the 
induction hypothesis 5(6', r) < 5(11', r) +5(E',r) and applying {sp): 

5(6, r) < r(5(n', r) + 5(E', r)) = 5(n, r) + 5(E, r) 
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Consider the case 11 ends by: 

Ho l>r,x : /X h Mo : B Hi [> T, x : h Mi : A Hz [> T, x : h M2 : A 
r,x : /i h if Mo then Mi else M2 : A 



{BE) 



Then, by the induction hypothesis there are derivations Ool>r, A h Mo[M/x] : B, 

61 [>r, A h Mi[N/x] : A and 62 [>r, A h M2[M/x] : A such that 5{ei,r) < S{U,,r) + 
(5(S,r) for < z < 2. By applying a (BE) rule we obtain a derivation 6 with 
conclusion: 

r, A h if Mo[N/x] then Mi[N/x] else MsfN/x] : A 
Since, by definition 5(11, r) = maxo<i<2(5(nj, r)) + 1, we have 
(5(6, r) < niax(5(ni,r)+5(E,r))+l = max{S{Ui,r))+l+S{'E,r) = S{Il,r)+6{i:,r) 

0<i<2 0<2<2 

Consider the case /z =!/x' and 11 ends by: 

n'[>r,xi : /x',. . . ,x„ : ^' h M : CT 



r,x -Afi' \- M[x/xi, • • • ,x/x„] : a 



(m) 



By Lemma 3.3, S E" ending by an (sp) rule with premise E' > A' h N : /x' 
followed by a sequence of rules {w) and/or (m). Hence, (5(E, r) = rS{T,', r). Consider 
fresh copies of the derivation E' i.e. E^ > A^ h Nj : n' where Nj and A^. are fresh 
copies of N and A' respectively, trivially 5(E',r) = S{T,'j,r) {1 < j < to). 
Let Xi be such that its height is maximal between the heights of all Xj {1 < j < m). 
By induction hypothesis there is a derivation: 

Sj [>r,xi : //, . . . ,Xi_i : /i',Xj+i : fi' , . . . ,Xm ■ IJ^' , ^'i ^ M[Ni/xj] : a 

and since S{Il,r) = 5(11', r), wc have S{Qi,r) < S(n',r) + (5(E',r). Then, we can 
repeatedly apply induction hypothesis to obtain a derivation 6' i> F, A'l, . . . , A'^ h 
M[Ni/xi,--- ,Nto/xto] : o". such that 6{Q',r) < 6(11', r) + m5{T,' ,r) and since r > 
rk(n) then: 

S{e', r) < (5(n', r) + r(5(E', r) = 6{n, r) + (5(E, r) 

Finally by applying repeatedly the rules (to) and {w) that leave the space weight 6 
unchanged, the conclusion follows. □ 

We are now ready to show that the space weight 6 gives a bound on the number 
of both /3 and if rules in a computation path of the machine Kg. 

Lemma 15. LetP €V and V :: |= P JJ. b. 

(1) Consider an occurrence in V of the rule: 

C, A@{x' := N} \= M[x7x]Vi • • • V„ J| b 



C,A\= (Ax.M)NVi---V™ JJ-b 



Then, for every derivation E > h ((Ax.M)NVi ■ • - Vm)^ '■ B there exists a deriva- 
tion e > h (M[x7x]Vi • ■ • }j^)'A®W--=N} : B such that for every r > rk(E); 

<5(E,r) > S{Q,r) 
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{2) Consider an occurrence in V of an if rule as: 



17 ( if b) 



C, ^ 1= ( if M then Nq else Ni )Vi • • • V„i ^ b' 

where C = C[{ if [o] then Nq else Mj )Vi • • ■ V^]. Then, for each derivation 
I]> h (( if M then Nq else Ni )Vi---V„)'^ : B there are derivations © > h 
(M)-^ : B and 11 [> h (NbVi ■ • ■ V„)-^ : B such that for every r > rk(E); 

(5(1], r) > 6{e, r) and (5(S, r) > 6(11, r) 

Proof. 

(1) We proceed by induction on m. Consider the case m = 0. We need to prove that 
if n [> r h (Ax.M)N : a, then there exists 11' > T h M[N/x] : a with rk(n) > rk(n') 
such that for r > rk(n): 

(5(n,r) > (5(n',r) 

Since (Vi?), (VL), (m) and (w) rules do not change the space weight S, without 
loss of generality we can assume that 11 ends as follows: 

ni[>ri,x:crhM: A 
Fi h Ax.M :a ^ A ' n2 > r2 h N : a 

ri,r2h(Ax.M)N:A > 



!"ri,!"r2 I- (Ax.M)N 

where ri#r2, T =!"ri, !"r2, a ee!"A for n > 0. Clearly, by definition of the 
space weight (5, we have 5(n, r) = r"(5(ni, r) + l + (5(112, r)). Since r > rk(n) > 
rk(ni), by Lemma 14 there exists a derivation Ila > F h M[N/x] : A such that 
5(113, r) < i5(ni, r) + 5(112, r). Hence, we can construct 11' ending as: 

n3[>r,AhM[N/x]:^ 

!"ri,!"r2 hM[N/x] :!"A 

Clearly 5{U',r) < r"{S{Ui,r) + 5(n2,r)) < S{U,r) and so the conclusion fol- 
lows. 

The inductive step to = fc + 1 follows easily by the induction hypothesis. 
(2) It follows directly by the definition of the space weight S. □ 

It is easy to verify that {h) rules leave the space weight unchanged, since 
(xVi---Vm)-^ = (NVi---Vm)"^ if {x := N} € A. Hence, a direct consequence of 
the above lemma is the following. 

Lemma 16. Let U{>n : B and V :: |= M JJ. b. Then for each (p G V such that 
(l)yC,A\=N ii-W ifr > rk(n).- 

#/3(0) + #if(<^) <5(n,r) 

Proof. Easy, by Lemma 15. □ 

Subject reduction does not increase the space weight. 

Property 2. LetIl>T \- K : a and M ^^^5 N. Then there exists U' >T \- N : a 
with rk(H) > rk(H') such that for each r > rk(n).- 

S{U,r) > 6{U',r) 
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Proof. By Lemma 14 and definition of S. □ 

It is wortfi noticing tliat a reduction inside an if does not necessarily decrease the 
space weight 6. This is the reason why we consider a non-strict inequaUty in the 

statement of the above property. 

The previous result can be extended to the machine Kg in the following way. 

Property 3. Let Ho h M : B and V :: ^ M JJ. b. For each configuration ^ S V 
such that ^>C,A\=^ ii-h' and C ^ o there exist derivations S > h (C[N])-^ : B and 
9 [> h (M)-^ : B such that Q is a proper subderivation ofT, and for each r > rk(n).- 

S{U,r) > 6{T,,r) > 6(0, r) 

Proof. Easy. □ 

Note that in the above property we ask for C 7^ o just in order to make the second 

inequality strict. 

4.2 Proof of PSPACE Soundness 

As defined in the previous section, the space used by the machine Kg is the maxi- 
mum space used by its configurations. In order to give an account of this space, we 
need to measure the increasing of the size of a term during its evaluation. The key 
notion for realizing this measure is that of sliced occurrence of a variable, which 
takes into account that in performing an if reduction a subterm of the subject is 
erased. In particular, by giving a bound on the number of sliced occurrences of 
variables we obtain a bound on the number of applications of the h rule in a path. 

Definition 17. The number of sliced occurrences 7Zso(x,M) of the variable x in 
M is defined as: 

nso{^, x) = 1, risoi^, y) = nso(x, 0) = Usoi^, 1) = 0, 
nso{x,m) = nso(x,M) + nso(x,N), nso(x, Ay.M) = n,5o(x,M), 

n,o(x, if M then Nq else Ni ) = max{nso(x, M), nso(x, Nq), nso(x, Ni)} 

A type derivation gives us some information about the number of sliced occurrences 
of a free variable x in its subject M. 

Lemma 17. iet n[>r,x h M : cr i/ien nso(x,M) < rk(n)". 

Proof. By induction on n. 
Case n = 0. The conclusion follows easily by induction on 11. Base cases are trivial. 
In the case 11 ends by (BE), the conclusion follows by nso(x, M) definition and 
induction hypothesis. The other cases follow directly from the induction hypothesis 
remembering the; side condition F^A in {-^ E) case. 

Case n > 0. By induction on 11. Base case is trivial. Let the last rule of 11 be: 

Sori-M^B eol>rhNo:E 9il>rhNi:B 
rh if M' then No else Ni : S 

where x e V. By induction hypothesis nso(x,M') < rk(E)" and 

nso(x,Ni) < rk(ei)" for i e {0,1}. By definition of rank rk(n) = 
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max{rk(S), rk(0o), rk(0i)} and since by definition nso(x, if M then Nq else Ni ) 
is equal to max{nso(x, M),nso(x, No),nso(x, Ni)}, then the conclusion follows. 
Let the last rule of 11 be: 

E[>r,xi :!"-iA,...,x^ :!"-iAhN 

r,x:!"AhN[x/xi,--- ,x/x„,] :m ^""^ 

where N[x/xi,--- ,x/xm] = M. By induction hypothesis nso(xi,N) < rk(S)"~^ for 
1 < i < m and since rk(E) < rk(n) the conclusion follows easily. In every other 
case the conclusion follows directly by induction hypothesis. □ 

It is worth noting that the above lemma and the subject reduction property gives 
dynamical informations about the number of sliced occurrences of a variable. 

Lemma 18. LetU\>r,x:\"'A\-n: a andn^^s^- T/ien, nso(x, N) < rk(n)". 

Proof. Easy, by Property 2 and Lemma 17. □ 

The lemma above is essential to prove the following important property. 

Lemma 19. Let M e and V :: |= M JJ. b then for each (j>^C,A\=P i^-W eV: 

#h{(l>)<#iA)\nf 

Proof. For each [x' := H] G A the variable x' is a fresh copy of a variable x 
originally bound in M. Hence, M contains a subterm (Ax.P)Q and there exists a 
derivation 11 such that 11 > x \-P : B. 

By Lemma 18 for every P' such that P — S-^^ P' we have Ugoi^, P') < rk(n)". So, in 

particular the number of applications of h rules on the variable x' is bounded by 
rk(n)" . Since |M| > rk(n) and d >n, the conclusion follows. □ 

The following lemma relates the space weight with both the size of the term and 
the degree of the derivation. 

Lemma 20. LetU>T\-n: a. 

{1) S{U,1) < |M| 

(2) 5{U,r) < S{U,1) X r'*^") 
(5) ,5(n,rk(n)) < |M|<i(n)+i 

Proof. 

(1) By induction on 11. Base cases are trivial. Cases (sp), (m), (w), (V/) and (Vi^) 
follow directly by induction hypothesis. The other cases follow by definition of 

<5(n,i). 

(2) By induction on 11. Base cases are trivial. Cases (m), {w), (V/) and (Vi?) 
follow directly by induction hypothesis. The other cases follow by induction 
hypothesis and the definitions of (5(11, r) and d(n). 

(3) By definition of rank it is easy to verify that rk(n) < |M|, hence by the previous 
two points the conclusion follows. □ 

The next lemma gives a bound on the dimensions of all the components of a 
machine configuration, namely the term, the m-context and the B-context. 

Lemma 21. Let M e T'd and V :: |= M JJ. b. Then for each ^ ^ C, >l |= N JJ. b' e V; 
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(1) \A\ < 2|M|'^+2 

(2) |N| < 2|M|2''+2 
(5) \C\ < 2|M|3'«+3 

Proof. 

(1) By Lemma 13.1, Lemma 16 and Lemma 20.3. 

1^1 < #/3(<^)(|M| + 1) < ^(n,rk(n))(|M| + 1) < iMi-^+^dMi + 1) < 2\nf+^ 

(2) By Lemma 13.2, Lemma 19, Lemma 12.1, Lemma 16 and Lemma 20.3: 

|N| < {#h{<P) + 1)|M| < (#(^)|M|<^ + 1)|M| < #0{<P)\nf+' + |M| < 2|M|2''+2 

(3) By Lemma 13.3, Lemma 12.2, the previous point of this lemma, Lemma 16 and 
Lemma 20.3: 

\C\ < #if(<^)(max{|N| | ^ > C, ^' ^ N ^ b" e path(</))}) 

< #(C)2|M|2''+2 < |M|''+i2|M|2''+2 < 2\Mf'^+^ □ 

The PSPACE soundness follows immediately from the definition of space(V), for 
a machine evaluation V, and from the previous lemma. 

Theorem 4 Polynomial Space Soundness. 
LetneVd- Then: 

space(M) < 6|M|^''+^ 
Proof. By definition of space(M) and Lemma 21. □ 

5. PSPACE COMPLETENESS 

A well known result of the seventies states that the class of problem decidable by a 
Deterministic Turing Machine (DTM) in space polynomial in the length of the input 
coincides with the class of problems decidable by an Alternating Turing Machine 
(ATM) [Chandra et al. 1981] in time polynomial in the length of the input. 

PSPACE = APTIME 

We use this result, and we prove that each polynomial time ATM M can be simu- 
lated by a term typable in STAb- In order to do this, we will use a result already 
obtained by two of the authors of this paper [Gaboardi and Ronchi Delia Rocca 
2007; Gaboardi 2007], namely that STA, the type assignment system for the A- 
calculus on which STAb is based, characterizes all the polynomial time functions. 
In particular, we use the same encoding as in [Gaboardi and Ronchi Delia Rocca 
2007; Gaboardi 2007] for the representation of the polynomials. Notice that the 
data types are coded by means of terms that are typable in a uniform way through 
derivations of degree 0. This approach ensures that the degree of the polynomial 
space bound does not depends on the input data. 

Some syntactic sugar 

Let o denotes composition. In particular MoN stands for Az.M(Nz) and MioM20- • -oM^ 
stands for Az.Mi(M2(- • ■ (M„z))). 
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Tensor product is definable as a (g) r = Va.(c7 ^ t ^ a) ^ a. In particular (M, N) 
stands for Ax.xMM and let z be x,y in N stands for z(Ax.Ay.N). Note that, since 
STAb is an afHne system, tensor product enjoys some properties of the additive 
conjunction, as to permit the projections: as usual 7ri(M) stands for M(Ax.Ay.x) 
and 772 (M) stands for M(Ax.Ay.y). The n-ary tensor product can be easily defined 
through the binary one and we use ct" to denote cr ® ■ • • iX) u n-times. In the sequel 
we sometimes consider tensor product modulo associativity. 

B-programmable functions 

We need both to generalize the usual notion of lambda definability, given in [Baren- 
dregt 1984], to different kinds of input data, and to specialize it to our typing 
system. 

Definition 18. Let / : Ii x • • • x I„ O 6e a total function, let 0,1\, ... ,ln G 
7i3 and let elements o G O and ij G Ij, for < j < n, be encoded by terms o and 
ij such that h o : O and h ij : Ij . 

(i) The function f is'B -definable if there is a term f G Ab such that h f ii • ■ • in : O 



(ii) Let O = B. The function f is -programmable if there is a term f G Ag such 
that f ii ...in€V and: 

f{ii,...in) = b <s=> |=fii ...i^J|b 
Natural numbers and strings of booleans 

Natural mimbcrs, as usual in the A-calculus, are represented by Church numerals, 
i.e. n = As.Az.s"(z). Each Church numeral n is such that h n : Nj for every i > 1 
where the indexed type Nj is defined as: 

Nj = Va.!'(a ^ a) -o a -o a 

It is easy to check that n is typable by means of derivations with degree 0. We 
simply use N to mean Ni. 

The standard terms sue = An.As.Az.s(nsz), add = An.Ain.As.Az.ns(msz) and 
mul = An.Ain.As.n(ins), defining successor, addition and multiplication, analogously 

to what happens in STA, are typable as: h sue : ^ N^+i, h add : -o Nj -o 
Njjiax(i,j)+i and I- mul : Nj ^!*Nj —o Nj+j. From this we have for STAb the 
following completeness for polynomials. 

Lemma 22 [Gaboardi and Ronchi Bella Rocca 2007]. LetP be a polyno- 
mial and deg{P) its degree. Then there is a term P defining P typable as: 



Strings of booleans are represented by terms of the shape Ac.Az.cbo(- • • (cb„z) • • • ) 
where b^ G {0, 1}. Such terms are typable by the indexed type Si = Va.!*(B — o 
a —o a) a ^ a. Again, we write S to mean Si. Moreover, there is a term 
len = Ac.As.c(Ax.Ay.sy) typable as h len : Sj — o N, that given a string of booleans 
returns its length. Note that the data types defined above can be typed in STAb 
by derivations with degree 0. 
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Boolean connectives 

It is worth noting that due to the presence of the (B£^) rule it is possible to define 
the usual boolean connectives. Remembering that in our language denotes "true" 
while 1 denotes "false" , we have the following terms: 

M and N = if M then ( if N then else 1 ) else 1 

M or N = if M then else ( if M then else 1 ) 

It is worth noticing that due to the presence of the (BE) rule, the following rules 
with an additive management of contexts are derivable in STAb : 

ri-M:B ri-N:B rf-M:B rhN:B 
ri-MandN:B ri-MorN:B 

Moreover, there is a term not defining the expected boolean function. 
ATMs Configurations 

The encoding of Deterministic Turing Machine configuration given in [Gaboardi and 

Ronchi Delia Rocca 2007] can be adapted in order to encode Alternating Turing 
Machine configurations. In fact, an ATM configuration can be viewed as a DTM 
configuration with an extra information about the state. There are four kinds of 
state: accepting (A), rejecting (R), universal (A) and existential (V) . We can encode 
such information by tensor pairs of booleans. In particular: 



(1,0) 


A 


(1,1) 


R 


(0,1) 


A 


(0,0) 


V 



We say that a configuration is accepting, rejecting, universal or existential depend- 
ing on the kind of its state. 

We can encode ATM configurations by terms of the shape: 

Ac.(cb^ o . ■ • o cb^, cbj, o • • • o cb;,, (q, k)) 

where ch^ o . . . o cbjj and cbp o . . . o cb^^ are respectively the left and right hand side 
words on the ATM tape, Q is a tuple of length q encoding the state and k = (ki, k2) 
is the tensor pair encoding the kind of the state. By convention, the loft part of 
the tape is represented in a reversed order, the alphabet is composed by the two 
symbols and 1, the scanned symbol is the first symbol in the right part and final 
states are divided in accepting and rejecting. 

Each term representing a configuration can be typed by indexed types (for every 
i >l) as: 

ATMj = Va.!*(B ^ a ^ a) {{a ^ af (g) B«+2) 

We need some terms defining operations on ATM. In particular, the term Init = 
At.Ac.(Az.z, Az.t(cO)z, (Qo,ko)) defines the initialization function that takes in in- 
put a Church numeral n and gives as output a Turing machine with tape of length 
n filled by O's in the initial state Qo = (qo, . . . , qn) of kind ko = (kg, kp) and with 
the head at the beginning of the tape. It is easy to verify that Init : Si —o ATMj 
for every i > 1. 

An ATM transition relation 5 can be considered as the union of the transition func- 
tions 5i,. . . ,6n of its components. So, we need to show that transition functions 
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are definable. We decompose an ATM transition step in two stages. In the first 
stage, the ATM configuration is decomposed to extract the information needed by 
the transition relation. In the second one, the previously obtained information are 
combined, depending on the considered transition function dj , in order to build the 
new ATM configuration. The term performing the decomposition stage is: 

Dec = As.Ac.let s(F[c]) be l,r,p in let p be q, k in let 1(1, Ax. 1,0) 
be t;, c;, bj) in let r(l, Ax. I, 0) be t^, c^, bp in (t;, t^, cj, bj,, c^, bjj, q, k) 

where F[c] = Ab.Az.let z be g,h, i in (hi o g, c,b). It is boring but easy to check 
that the term Dec can be typed as h Dec : ATMj — o IDj, where the indexed type 
IDi is used to type the intermediate configuration decomposition and it is defined 
as IDi = Vq.!*(B ^ a ^ a) -o ((a ^ af (g) ((B ^ a ^ a) (g) B)^ o B« (g) B^). 
The behaviour of Dec is the following: 

Dec (Ac.(cb^ o . . . o cb^, cbS o . . . o cb[„, (Q, k))) ^} 

Xc.{ch[ o • ■ • o cb[^, cbj o • ■ • o cb;^, c, b^, c, bS, Q, k) 

The transition combination stage is performed by the term 

Com = As.Ac.let so be 1, r, C;, b;, c^, b^, q, k in 

let 5j(br,q,k) be b',q',k',m in (if m then R else L)b'q'k'(l,r, C;,b;, Cr) 

where R = Ab'.Aq'.Ak'.As.let s be l.r, C;,bi,Cr in (c,.b' o C|b; o 1, r, (q', k')), 
L = Ab'.Aq'.Ak'.As.let s be l,r, C(,b(,Cr in (l, Cjb; o c^-b' or, (q',k')) and 6^ is 
a term defining the 6j component of the transition relation S. The term Com can 
be typed as h Com : IDj -o ATM^. It combines the symbols obtained after the 
decomposition stage depending on the considered component dj and returns the 
new ATM configuration. If (bfj, Q, k) = (b', Q', k'. Right), then 

Com (Ac.(cbi o • ■ • o cb^, cb^ o • • • o cb;;^, c, b^, c, bp, (Q, k))) 

Ac.(cb' o cbg o cbj o • • • o cb^, cb^^ o • • • o cb^, (Q', k')) 
otherwise, if dj{h'^,Q,'k) = (b', Q', k'. Left) then 

Com (Ac.(cbl o . . . o cb^, cb^ o . . . o cb;;,, c, bj,, c, bj,, (Q, k))) 

Xc.{ch[ o • • • o cb^, cbg o cb' o cbi o • • • o ch"^, (Q', k')) 

The term that takes a configuration and return its kind is: 

Kind = Ax. let x(Ab.Ay.y) be 1, r, s in (let s be q, k in k) 

which is typable as h Kind : ATMi —o B^. Finally the term 

Ext = Ax. let (Kind x) be 1, r in r 

typable as h Ext : ATMi — o B, returns or 1 according to the fact that a given 
configuration is either accepting or rejecting. 

Evaluation function 

Given an ATM A4 working in polynomial time we define a recursive evaluation 
procedure evalx that takes a string s and returns or 1 if the initial configura- 
tion (with the tape filled with s) leads to an accepting or rejecting configuration 
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respectively. 

Without loss of generality we consider ATMs with transition relation 6 of degree 
two. So in particular, at each step we have two transitions terms Tr^ and Tr^ 
defining the two components 61 and 62 of the transition relation of M. We need to 
define some auxiliary functions. In particular, we need a function a acting as 

a(A,Mi,M2) = A q;(A,Mi,M2) = Ml AM2 
q;(R,Mi,M2) = R a(V,Mi,M2) = Ml VM2 

This can be defined by the term 

a(Mo,Mi,M2) = let Mq be ai,a2 in if ai then ( if a2 then (ai, 
7r2(Mi) or7r2(M2)) else (ai,7r2(Mi) and 7r2(M2))) else (ai,a2) 

It is worth noting that a has typing: 

r h Mq : r h Ml : T h M2 : 

ri-Q!(Mo,Mi,M2) : B2 

where the contexts management is additive. This is one of the main reason for 
introducing the if rule with an additive management of contexts. Moreover, note 
that we do not need any modality here, in particular this means that the a function 
can be defined in the linear fragment of the STAb system. 

The evaluation function eval^ can now be defined as an iteration of an higher 
order Stepx function over a Base case. Let Tr)^^ and Tr^ be two closed terms 
defining the two components of the transition relation. Let us define 

Base = Ac.(Kind c) 

Step^ = Ah.Ac.a((Kind c), (h(Tr)^ c)), (h(Tr5^ c))) 
It is easy to verify that such terms are typable as: 
I- Base : ATMj B^ 

h Step^ : (ATMi -o B^) ATM^ -o B^ 

Let P be a polynomial definable by a term P typable as h P ■A'^'^aiP)'^ ^ '^2deg(P)+i- 
Then, the evaluation function of an ATM Ai working in polynomial time P is 
definable by the term: 

evalx = As.Ext((P (len s) Stepx Base)(Init s)) 

which is typable in STAb as h evalx :!*S — o B where t = ma,x{deg{P), 1) + 1. 
Here, the evaluation is performed by a higher order iteration, which represents a 
recurrence with parameter substitutions. Note that by considering an ATM M 
that decides a language C, we have that the final configuration is either accepting 
or rejecting. Hence the term Ext can be applied with the intended meaning. 

Lemma 23. A decision problem V : {0,1}* -> {0,1} decidable by an ATM M 
in polynomial time is H -programmable in STAb. 

Proof. D(s) = 6 <;=^ eval^s-JJ-b □ 

Prom the well known result of [Chandra et al. 1981] we can conclude. 

Theorem 5 Polynomial Space Completeness. Every decision problem 
V G PSPACE is B-programmable in STAb- 
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6. CONCLUSION 

In this paper we have designed STAb , a language correct and complete with respect 
the polynomial space computations. Namely, the calculus is an extension of A- 
calculus, and we supplied a type assignment system for it, such that well typed 
programs (closed terms of constant type) can be evaluated in polynomial space 
and moreover all polynomial space decision functions can be computed by well 
typed programs. In order to perform the complexity bounded evaluation a suitable 
evaluation machine Kg has been defined, evaluating programs according to the left- 
most outer-most evaluation strategy and using two memory devices, one in order 
to make the evaluation space-efficient and the other in order to avoid backtracking. 

The results presented in this paper have been obtained by exploiting the equiv- 
alence [Chandra et al. 1981]: 

PSPACE = APTIME 

Indeed, evaluations in the machine Kg can be regarded as computations in Alter- 
nating Turing Machines. Moreover, the simulation of big-step evaluations by means 
of small-step reductions is a reminiscence of the simulation of ATM by means of 
Deterministic Turing Machines. Conversely, the PSPACE completeness is shown 
by encoding polynomial time ATM by means of well typed terms. An interesting 
fact in the completeness proof is that the modal part of the STAb system is only 
involved in the polynomial iteration, while the ATM behaviour (i.e. the a function) 
can be defined in the modal free fragment of the system. On the basis of these facts, 
we think that our tools could be fruitfully used in order to revisit some classical 
complexity results relating time and space [Stockmcycr 1976]. 

Starting from the type system STAb presented in this paper, one would wonder 
to exploit the proofs-as-programs correspondence in the design of a purely logical 
characterization of the class PSPACE. In particular, one would understand how to 
do this in sequent calculus or proof nets, the two proof formalisms most natural 
for linear logic. Unfortunately, the logical sequent calculus system obtained by 
forgetting terms is unsatisfactory. Indeed, it looks not so easy to understand how 
to transfer the complexity bound from the term evaluation to the cut-elimination 
in a logic. Moreover, boolean constants are redundant and the STAb rule (BE) 
has no direct correspondent in sequent calculus. All these difficulties suggest that 
exploring this direction could be a true test for the light logics principles. 
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